Archive for Scam

« Older Entries

Scam Call Turns Deadly With An Uber Driver Being Killed

Posted in Commentary with tags on April 16, 2024 by itnerd

I have dealt with scammers for years. But this is the first time that I have heard of a scam leading to someone to being killed. I have for you a news report where a man in Ohio was being bombarded with scam calls, which lead to an Uber driver being shot and killed by said man. Here’s the video that describes what happened. And I will say that this is not for the faint of heart:

What this appears to be is a scam where instead of the scammers using electronic means to steal money from you, they somehow get you to withdraw cash and then have someone pick it up from you. That someone may be an intermediary who delivers it to someone else who sends the money to its final destination, or they may do that themselves. This is sometimes referred to as a “Hawala” which you can get more info here.

Now the police have arrested this man for shooting the Uber driver. But what I wish would also happen, but I don’t see it happening, is that the scumbags behind this scam get tracked down and arrested as well as they are just as guilty in this Uber driver’s death. I’ve said it before and I will say it again. Scammers are the lowest forms of life out there. They need to be treated like cockroaches and exterminated with extreme prejudice. And the fact that this happened illustrates why that needs to happen sooner rather than later.

Leave a comment »

Tis The Season For Canada Revenue Agency Related Email #Scams

Posted in Commentary with tags on April 9, 2024 by itnerd

It’s tax time here in Canada. And much like spring flowers, Canada Revenue Agency scams are popping up everywhere. Here’s today’s example. This arrived via email late yesterday:

Now right off the top I knew that it was a scam for the following reasons:

  1. If you have set up direct deposit, your tax refund is sent to your bank account automatically. You do not have to lift a finger to get it.
  2. The day that I received this was yesterday which was April the 8th. But this email claims that the refund will expire on April the 7th. Thus this threat actor isn’t all that smart as they clearly can’t pay attention to the details.

There’s also a third thing that identified this as a scam:

That’s the email address that the email was sent from. Which is not the Canada Revenue Agency which typically end in cra-arc.gc.ca. So if you see this email, and you’ve identified all of this, this is the point where you should delete this email. But I’m going down the rabbit hole to expose their endgame. Which is of course a scam to capture your banking credentials. So after clicking on “Deposit your refund” which by the way you should never do, you get taken to this web page:

Now you’ll notice the address of the web page. Here’s a closer look:

That’s not the Canada Revenue Agency as their website is https://www.canada.ca/en/revenue-agency.html. But the threat actors are hoping that you won’t notice. Clicking on the CAPTCHA (which works by the way) takes you here:

Then from there, the threat actors have spent some time trying to replicate each bank’s web page to fool you into entering your banking credentials so that they can swipe your hard earned money. Take CIBC for example:

Other than the two missing pictures at the bottom of the page, this is a pretty good replication of the actual CIBC website. While the threat actors didn’t that that detail right, what they did get right was the fact that there’s code to check the validity of the card number that you have to enter. That way the threat actors aren’t wasting time going through bogus data to find the bank accounts that they can actually steal money from. That shows how crafty these scammers have become. It also shows why you need to always watch out for them as they are clearly evolving to better execute their scams. Thus as always, delete this email the second it arrives in your inbox and move on with your day.

Leave a comment »

I Had To Deal With The Aftermath Of A Facebook #Scam… Here’s How You Can Avoid Being A Victim

Posted in Commentary with tags , on April 6, 2024 by itnerd

Yesterday I was preparing my first coffee of the day when I got a phone call from a client who was in a panic. Here’s why she was in a panic.

The client has a Facebook account and she went to reset her password. However Facebook never sent her a verification code as per this document despite the many ways and times that she tried to get one. So as a result of that she needed help. Thus she Googled for a tech support number for Facebook. As a result she found a number and phoned it. The people at the other end said that they needed ID to prove who she was. She then sent them a photo of her drivers licence. They then said she would hear back from them in 48 hrs. When that didn’t happen she realized that she had fallen for a scam and called me.

I’m going to stop right here and dissect this.

Let’s start with the fact that Facebook doesn’t have any public facing support at all. And there is no phone number that you can phone to get help with Facebook. So what that does is it creates a vacuum where scammers can fill that void to run any number of scams. How do that do that? Well, the scammers use a technique called SEO poisoning to make sure that their results are at the top of the list of the Google search engine because they know that humans are likely to pick something that is the first six or seven items in a results list on Google. Here’s an example of what I am talking about:

Every single link in this picture leads to a scammer. I know this because I tested this myself. And all a scammer has to do next is wait for the calls to come in. And when they do, they can execute their scam.

So what was the scam in this case? Given that they didn’t according to her ask for money and simply wanted her ID, I suspect that identity theft is their endgame here. I say that because that drivers license is worth a lot of money on the dark web. And you can do all sorts of things with a drivers license. Such as get a cell phone account with any carrier in Canada for example. Or open a bank account. Or perhaps even get a loan. And it would leave the victim of this on the hook.

So this is clearly a bad situation. But before I tell you how to avoid being in this situation, let me tell you about what you should do if you find yourself in this situation. And frequent readers will find some of this information familiar.

  • You need to report it to your local police who can then give you additional directions. Beyond that, the U.S. Federal Trade Commission has a website for scam reporting, while the Canadian Anti-Fraud Center is the place to go if you’re in Canada. Other counties have similar organizations for reporting scams. 
  • I strongly recommend that you sign up for credit monitoring via Trans Union and Equifax right away. That way you can get an alert if someone tries to do something like take out a loan or tries to get a cell phone in your name, and take action to protect yourself.

One thing to keep in mind is that you’re also highly likely to be the target of scams going forward as now the scammers have your personal information. Which means that they can craft scams that are more convincing and be more likely to succeed. Which means that you really need to be on guard.

So, how can you avoid getting scammed? In the case of Facebook, the only way to get help with Facebook is at https://www.facebook.com/help. As I said earlier, Facebook has no public facing support organization. Nor do they have any phone number that you can call. Also, I should mention that there are circumstances where Facebook may ask you for ID. Those circumstances are listed here. Finally, here’s an unconventional method for getting help with Facebook. Phone a tech savvy millennial. Often they can assist you with things like account lockouts and the like which will help you to avoid this situation.

Pro Tip: If they try to phone “Facebook” for help, you’ve got the wrong millennial.

Hopefully this helps you to avoid a Facebook scam. If you have any questions about this, please leave a comment below and I will do my best to get back to you.

Leave a comment »

An Email #Scam Using CIBC’s Name Is Making The Rounds

Posted in Commentary with tags , on March 30, 2024 by itnerd

There’s lots of scams out there for you to keep an eye on. And I’m adding one more to the list. That scam will show up in your inbox and look like this.

Now scams will often present a problem that requires immediate action to make you fall for it. This one is no different. Apparently my online access has been revoked and I need to “click to gain accss”. The spelling of the word access was my first hint that this was a scam email. The second was that there were two commas after the word customer. Then there’s the fact that I am not specifically named in this email. Any email I’ve gotten from CIBC as that’s my bank has my full name in it. So that’s three strikes and this email should be deleted. But there’s actually a fourth problem with this email:

This didn’t come from CIBC as the email address is wrong. The correct email address that CIBC uses is this one:

At this point, I should have deleted the email and moved on. But as you know, that’s not how I roll. So I copied the URL into the web browser on my testing computer and got this:

Now I will give the threat actor some points for registering a URL that looks like “CIBC-Online” so that you will be fooled into thinking that this is the actual CIBC website. The use of a CAPTCHA is an interesting touch as that adds a vibe that this is the legitimate CIBC website. Click on the “I’m not a robot” part and you get this:

Again, I have to give the threat actor credit here for creating a very convincing fake CIBC website. And the part at the bottom left where it says “Safe banking online, guaranteed” is a nice touch. Even though there is nothing safe about this website. One area where they failed at is the check box for “show password”. It doesn’t work. that’s a hint that this is a fake website. Though they didn’t get every aspect right. Take this for example:

They had a couple of missing images. No legitimate bank would ever let a website go online with that sort of screw up.

Another sign that this is a skilled threat actor is the fact that they had code that validates that the card number that you enter is real. That way they know if they got some valid credentials that they can use to presumably drain your bank account dry. I say presumably because this is as far as I got. But that’s as far as I needed to get to be able to document this scam and bring it to you so that you don’t fall for it. Thus as always, if you get an email that looks like this, delete it and move on with your day.

Leave a comment »

I Questioned Freedom Mobile’s Security When It Comes To Preventing A SIM Swap #Scam… Now There’s A Case Of SIM Swapping That Cost A Couple $140K

Posted in Commentary with tags , on March 22, 2024 by itnerd

When my wife and I switched to Freedom Mobile, I’ve wondered about the security to stop things like SIM swap scams. I say that because the way that Freedom Mobile has set up their “My Freedom” customer portal doesn’t seem all that secure to me. Which is why a story from Global News caught my attention as it details the story of a couple who are Freedom Mobile customers that lost $140K in a SIM swap scam:

Wayne Stork and his wife Diana had not heard of the SIM swap scam until they became victims.

The GTA couple did nothing wrong but they lost about $140,000 anyway.

“It’s a nightmare,” Wayne told Global News in a television interview, his wife Diana at his side.

“We’re doing this, in part, to get the word out,” Diana said.

The Storks are longtime customers of Freedom Mobile. Last September, when the couple were at home, Wayne’s phone suddenly stopped working.

“My phone went into SOS mode, it was deactivated,” he said.

From that point, Wayne had no use of the phone, but someone else had access to the personal information attached to it.

“He (Wayne) was watching his accounts drain of money, that’s when the panic set in,” Diana said.

Over the next 24 hours, scammers had gained access to Wayne’s stock trading account and other accounts, including a cryptocurrency one that contained the proceeds from an inheritance.

“The Bitcoin was worth $140,000, and we lost that,” Diana said.

When the couple called Freedom Mobile’s customer service line, they say a representative said records showed someone had obtained a new SIM card in a retail location in Toronto, apparently claiming to be Stork.

Stork says the phone representative asked “weren’t you in the store yesterday to get a new SIM card?” to which Stork said no, it wasn’t him.

So you’re likely wondering how a SIM swap scam ends up in someone losing a lot of cash. Well, people often use their cell phones, specifically text messaging, to receive multi factor authentication codes for the financial institutions or online services that they use. So if a threat actor can get their hands on your cell phone number and some other information like passwords and the like, they can drain you of all your cash.

Now while this incident didn’t involve the “My Freedom” customer portal, it does suggest that Freedom Mobile does have weaknesses in terms of preventing this sort of scam from happening. After all, it should not be possible, or at least very difficult to walk into a retail location and execute this scam in 2024. In fact, I pinged my “off the record” contacts at Rogers, TELUS, and Bell. While they don’t rule out the possibility of this happening with them, and they don’t know the specifics of how this incident was executed, all of them say that this would be far more difficult to execute with them because of the security measures that they have in place. Or put another way, they’re throwing shade on whatever security measures that Freedom Mobile does or more importantly doesn’t have because they assume that they can do better. I’m not sure that I would make that assumption. But that’s just me. And what makes this worse is that now that this story is out there, other threat actors will specifically target Freedom Mobile because the perception will be that they are an easier target in terms of executing this scam. That’s bad for Freedom Mobile, and its customers.

Now if you’re worried about being a victim of a SIM swapping, the Global News article as well as the link to what a SIM swap is has some actionable information. But the one thing that you could really do to protect yourself is use app based multi factor authentication rather than text message based multi factor authentication wherever possible. Because the second that you do that, the safer you become as that’s not tied to the SIM card in your phone. That does require financial institutions and online services to move in that direction. So you may be stuck with text message based multi factor for a while. Which means it’s up to carriers like Freedom Mobile to up their game to protect their customers. Let’s see if Freedom Mobile does that now that this incident is out in the public domain.

Leave a comment »

Here’s The Story Of One Of My Clients Who Just Narrowly Avoided Getting Caught Up In A #Scam

Posted in Commentary with tags on March 19, 2024 by itnerd

Yesterday was a typical Monday for me. Which meant that I was busy as Monday and Fridays are my busy days. I had just come back to my home office after seeing a number of clients and found a voice mail with an urgent request for a call back from one of my clients. I could hear the panic in her voice so I called her back. And what unfolded next was someone who was clearly freaked out by a run in with a pop up scammer.

Before I get into the weeds of the story, let me quickly explain what a pop up scam is. Pop ups are generated by websites to offer users additional information or guidance (such as how to fill in a form, how to apply a discount code, etc.). So a pop up is typically not harmful. However, scammers have leveraged pop ups to allow them to perpetrate their scams in a variety of ways. Scammers use pop-up scams to make money by preying on concerned users who want to ensure their computer is secure and extorting money from you to fix problems and resolve threats that do not exist. Or they want to get into your computer to collect information to steal your identity or steal your money, or both. In the worst case, these pop-ups can install malware onto your computer which can cause all sorts of damage and issues.

Back to the story. My client saw this pop up on her computer:

She tried to get rid of this screen, but couldn’t do so. More on that later. She then panicked and called the number on the screen. The scammer who claimed he was a “Level 5 Microsoft Technician” (Fun fact: Microsoft doesn’t have “Level 5 technicians”) then proceeded to execute the scam. He got access to her computer and then blanked her screen so that he could install ConnectWise Screen Connect which would give him access to her computer anytime he wanted to. The reason that the scammer blanked her screen is that he didn’t want her to see what he was up to as that would have made her suspicious. He then ran a variety of commands to convince her that her computer had been “hacked”. For example the scammer ran the “Tree” command inside a command window followed by the “netstat” command to accomplish that. After that he tried to convince her to open her online banking. That’s when she got suspicious and not only ended the call, but she also disconnected her Internet entirely. Then she called me.

Now let me stop here and say something. Scammers rely on putting pressure on you so that you suspend your critical thinking which allows them to do what they want. But my client did not suspend her critical thinking and was able to stop this scam from going further. Or put another way, her “Spidey Sense” went off and she paid attention to it. That’s good because if something doesn’t seem right, it usually isn’t. And you should run from that situation as quickly as possible. Thus I really applaud this client for listening to her gut and taking action to stop the scam before it went too far.

When I arrived on site, I had a look at her computer. The first thing that I dealt with was the installation of ConnectWise Screen Connect. The scammer had installed it as a service, meaning that it not only would activate every time the computer was on, but the owner of the computer would have difficultly finding it and removing it. But because this wasn’t my first rodeo in terms of dealing with scammers, I found it and killed it quickly. I then examined her computer to see what the threat actors did, and it seemed that they were early in executing the scam. So that meant that they likely didn’t have time to do much of anything. I also found the pop up that she encountered and I noted that the pop up made itself take up the entire screen. That made it difficult to close. However, the pop up was designed to have a close button that was small and not easily noticed so that the scammer could “fix” the threat that the pop up allegedly created. Other than that, I could find no other problems with the computer. Thus I had her turn on the Internet.

That’s the good news. Here’s the bad news. On the computer she had a Microsoft Word document with all her passwords on there. Thus I advised her to change all those passwords immediately as I could not guarantee that the scammers didn’t steal this document. The second thing that I advised her to do is to get credit monitoring because the same document had her social insurance number in it. Meaning that there was the possibility of identity theft. Finally, I advised her to watch the computer for any unusual activity.

Now let me dissect some key points of the scam so that you don’t fall victim to something like this:

  • If you encounter a pop up like this. It’s guaranteed to be a scam. Your antivirus software will never require you to call a phone number to resolve an issue. Anything that the antivirus software encounters is usually resolved by the software itself.
  • The pop up can usually be closed without too much of a problem. However, if the pop up will not go away by closing it, try restarting the computer. If that doesn’t work, turn off the computer contact a computer professional for assistance. 
  • Microsoft does not provide support for end users and they never have. Any and all support for Windows is provided by whomever you bought the computer from. As in Dell, or HP, or Lenovo for example.

Finally, I handed the phone number from the picture above to the scam baiter community so that they can have “fun” with these scammers. By that I mean that they will get more intel on them and do things to disrupt their scams. Because I know from experience that getting law enforcement in these situations is difficult at best. But scam baiters can do a lot of damage to these scumbags and expose their activities. Thus that is the best that I can do to make these scumbags pay for what they did to this woman as they really freaked her out. And that’s not cool with me.

Hopefully this story was informative and gives you some insight. If you have any questions, please reach out by leaving a comment below.

Leave a comment »

BEWARE: Bell Is Being Used In A Phone #Scam Related To Fibe Internet

Posted in Commentary with tags , on March 13, 2024 by itnerd

I just got a scam phone call that everyone should be aware of. How do I know it was a scam phone call? Well, first of all I got a call from a local area code. When I picked up, I heard a message saying that Bell Canada had just completed their upgrades to fibre and I was being offered an upgraded and faster “router” at no charge. This was a red flag for me as I know that Bell has suspended their fibre rollout because they’re upset with the CRTC. Besides that, I already have Bell fibre optic Internet. So unless I have missed something, there should be no reason why they would be contacting me to swap out my “router”. More likely they would wait for my HH4000 to die. Then I would call in to get a replacement which would likely be the Gigahub. The other thing that got my attention about this message was the call quality was horrendously bad. The message was full of static and at times I could barely understand it. No telco would ever have a message that is that bad.

The message asked me to press one to get my delivery date. Now given everything that I have explained above, what I should have done is hang up. But as proven multiple times on this blog, I want to dig in further. So I pressed one and quickly got a male with an Indian accent. That’s another red flag as the last time I checked, Bell outsources to the Philippines. Again the quality of the call was so bad that I could barely make out what he was saying, and eventually the call disconnected.

Now while I was 99% sure that I was being scammed, I wanted to confirm it with Bell. Which is why I served up this Tweet to them:

While I was waiting for them to respond to this, I decided to look up the number that the phone call came from. I traced it back to the fax line of an electrical company in Markham Ontario. Thus confirming that the call didn’t come from Bell as calls from Bell typically pop up at as your local area code followed by the digits 310-2355. Though if a Bell tech is calling you, that will not be the case as they use their cell phones. And if you’ve called a tech, you’ll be expecting their call. So, why are they spoofing a local number? It’s to encourage you to answer the call because so many of us won’t answer calls from long distance numbers that we don’t know.

Bell got back to me on Twitter to confirm what I already knew:

Though they didn’t come out and say it, it was a scam call. Clearly there’s a threat actor out there who is using Bell to perpetrate a new scam. I wasn’t able to play along to figure out what their game is. But if they do call back, I’ll go into the weeds and let you know about it. But in the meantime, if you get one of these calls, do yourself a favour and hang up.

Leave a comment »

Air Canada’s Aeroplan Is Being Used In An Email Based Phishing #Scam

Posted in Commentary with tags on March 13, 2024 by itnerd

Some new scams have hit my inbox as of late. And this Aeroplan one is interesting. For those of you who don’t know what Aeroplan is, this is an airline rewards program that is run by Air Canada and its partner airlines. I have an Aeroplan account so I do get marketing emails from them. But one look at this, I knew that this wasn’t one of them:

So the first thing was the fact that the word Aeroplan was highlighted several times. That is odd and when I compared it to other Aeroplan emails, this wasn’t present. So that put me on alert. The other thing that put me on alert is the typical scam hook of if you don’t do something, bad things will happen to you. In this case, if I don’t click the link to upgrade your Aeroplan account, your account will be limited. Whatever that means. Then there was the words “Kindly use the link below to upgrade your account.” Air Canada nor Aeroplan would ever use language like that. Finally, the email was allegedly sent from my personal email account. Meaning that the threat actor spoofed my email.

I wanted to go down the rabbit hole to see what the threat actor was up to. So before clicking on the link, I hovered my mouse cursor over it and saw this:

That looks like a link that has been shortened by Twitter’s link shortener. And that’s done to cover up the fact that if you click on it, which you should not do if you get this email, it will be taking you to someplace other than the Aeroplan website. But since I investigate these scams, I clicked it and this is what I got:

Now I have to give the threat actor credit here. Just like the email, this website is a very good replication of the actual Aeroplan website. Most people I think would be fooled by this. But if you look at the address bar, you’ll see that you’re not at the Aeroplan website as it’s not Aeroplan.com.

And at first glance, this fake website is going after your login details so that presumably the threat actors can log into your account and drain it of your Aeroplan points in the form of gift cards or something like that. And what’s interesting is that the website might be trying to validate that you’ve entered a valid Aeroplan number because when I tried to enter a bogus number, I got this:

This was also the case when I tried to enter a bogus email address. Clearly this threat actor has some skills as they really want to get your login details. And what’s even more interesting is that the links to create a new account or reset your password go to the real Air Canada website. I guess that they’re hoping that those who don’t remember their passwords will reset them, then come back to enter them in what’s clearly a phishing site. What concerns me is that the fact that the threat actor has spoofed my email address to try and scam me. That implies that this might be a targeted attack. I wonder if this is related to the fact that Air Canada got pwned in 2018. Then pwned again in 2023. And the threat actor or actors behind either of those attacks are using the information gained in either of those events to launch further attacks against Aeroplan members. Seeing as I’ve been an Aeroplan member for years, that seems plausible. Thus I would be interested to know if you’re an Aeroplan member and you get an email like this. If so, feel free to leave a comment below.

Leave a comment »

A Disney+ Email #Scam Is Making The Rounds

Posted in Commentary with tags on March 9, 2024 by itnerd

I’ve come across a Disney+ Email scam that you should be aware of that is pretty interesting as this is the first Disney+ scam email that I have come across.

Let’s start the email that you get:

This email by scam standards is pretty good. But I will note the following. For starters, it never mentions you by name. That’s because this email is emailed out to thousands of people hoping that someone will take the bait. Then there’s where this email is sent from:

That’s not a Disney+ email. And as far as I know, they have chat and phone resources for account and billing issues. So that’s a #Fail. Next is this:

That link clearly doesn’t go to a website that is controlled by Disney+. Thus this is clearly a scam and you should delete this email immediately if you get it. But since I work to expose these scams, I’m not going to do that. But to be clear, don’t be me as I am a trained professional.

Clicking that link takes you here:

First you go to a CAPTCHA. But it’s a demo likely “borrowed” from the company. It even says so in the top left. And that’s where you’ll also notice that these losers are using a WordPress site to pull this off. The “W” next to the words “Captcha Demo” are the big giveaway. Once you get past that, you go here:

This is a fake Disney+ login page. I typed a fake email address and password in and I got past this. That could mean that they are trying to capture credentials, or this is just a gateway to their ultimate goal. Either is possible. Next up is this:

They’re clearly trying to steal your credit card details. And they have logic built into this website to make sure that the card number is valid. Thus at the very least, these threat actors are trying to steal your credit card info. At worst, they’re also trying to snatch your login details to Disney+. It would be a shame for these threat actors if I sent this information to Disney+.

Oh wait. I did before posting this.

In any case, this email illustrates why you need to be careful and closely look at anything that hits your inbox as anything could be a scam email that could catch you out.

Leave a comment »

Beware Highway 407 Drivers…. This Is One Of The Most Convincing Phishing #Scam Websites I Have Seen In A Long Time

Posted in Commentary with tags on February 8, 2024 by itnerd

A reader alerted me to a phishing text that is going around that is directing people to https://hwy407etr.com to pay a bill for Highway 407 which is a toll highway in Toronto. The thing is, that this isn’t the actual Highway 407 website. But you’d never know it because it is very well done. Let me illustrate:

This is the fake website. The real one which is https://407etr.com looks like this:

The general theme of the website is pretty much the same, and I can easily see people being caught out if they don’t pay attention to which website they are going to. What’s even more interesting is if you go to “Create My Account” or “Log In”, it takes you to the real Highway 407 website. Having said that, I would close the browser completely and start over by going to the real 407 website just in case the threat actors have done something to try and capture login details.

Now if you click on “Make a Secure One Time Payment” you get this:

You’ll note that the payment amount is already filled in. How does the website know what dollar amount that you owe if you haven’t logged in? Well, it doesn’t because its just a ruse. The endgame becomes clear once you click “Continue”:

The endgame for the threat actors is to snatch your credit card details. Now I wasn’t able to go beyond this because there was logic to check the validity of the card that you entered. But it’s crystal clear what they are up to.

Now as far as I know, the people who run Highway 407 don’t use text messages to communicate to you. So if you get one of these text messages, it’s a scam and you should delete it ASAP.

Leave a comment »

« Older Entries